subject:"Re\: RBL Misfires\?"

RE: RBL Misfires?

2004-10-13 Thread Nate Schindler



> -Original Message-
> From: Jeff Chan [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 12, 2004 5:14 PM
> To: users@spamassassin.apache.org
> Subject: Re: RBL Misfires?
> 
> 
> It would be useful if you could forward the messages that falsely
> trigger on RBLs, along with name resolution results on the specific
> RBL nearby in time, such as:
> 
> > % dig vantagemobility.com.ws.surbl.org

The message is attached.
I ran that exact query against my DNS server, and both my ISPs servers at the 
time it happened.  Got basically this (nadda):

; <<>> DiG 9.2.1 <<>> vantagemobility.com.ws.surbl.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62432
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;vantagemobility.com.ws.surbl.org. IN   A

;; AUTHORITY SECTION:
ws.surbl.org.   900 IN  SOA a.surbl.org. zone.surbl.org. 
1097682081 900 450 604800 900

;; Query time: 247 msec
;; SERVER: 10.10.3.2#53(10.10.3.2)
;; WHEN: Wed Oct 13 09:17:27 2004
;; MSG SIZE  rcvd: 93

> (and similar lookups on numeric RBLs like
> dig 2.0.0.127.sbl.spamhaus.org)

; <<>> DiG 9.2.1 <<>> 2.0.0.127.sbl.spamhaus.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48647
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;2.0.0.127.sbl.spamhaus.org.IN  A

;; ANSWER SECTION:
2.0.0.127.sbl.spamhaus.org. 7200 IN A   127.0.0.2

;; AUTHORITY SECTION:
sbl.spamhaus.org.   172800  IN  NS  n.ns.spamhaus.org.
sbl.spamhaus.org.   172800  IN  NS  r.ns.spamhaus.org.
sbl.spamhaus.org.   172800  IN  NS  s.ns.spamhaus.org.
sbl.spamhaus.org.   172800  IN  NS  u.ns.spamhaus.org.
sbl.spamhaus.org.   172800  IN  NS  v.ns.spamhaus.org.
sbl.spamhaus.org.   172800  IN  NS  z.ns.spamhaus.org.
sbl.spamhaus.org.   172800  IN  NS  a.ns.spamhaus.org.
sbl.spamhaus.org.   172800  IN  NS  b.ns.spamhaus.org.
sbl.spamhaus.org.   172800  IN  NS  c.ns.spamhaus.org.
sbl.spamhaus.org.   172800  IN  NS  d.ns.spamhaus.org.
sbl.spamhaus.org.   172800  IN  NS  e.ns.spamhaus.org.
sbl.spamhaus.org.   172800  IN  NS  f.ns.spamhaus.org.
sbl.spamhaus.org.   172800  IN  NS  m.ns.spamhaus.org.

;; Query time: 409 msec
;; SERVER: 10.10.3.2#53(10.10.3.2)
;; WHEN: Wed Oct 13 09:25:29 2004
;; MSG SIZE  rcvd: 271

> 
> There have been other sporadic reports of RBL misfires, which
> leads me to wonder about the possibility of a rarely hit bug
> somewhere in the RBL code.  Unfortunately this kind of thing
> seems hard to debug given the dynamic nature of messages and
> RBLs, but there are enough reports to make me wonder
> 

Yeah... I know.  I'm not even sure if I have a problem or not.  I just recently 
turned on the report header for all mail, so that I could at least get a little 
more information without getting lost in constant debug output.  I'm keeping an 
eye on it for now.

The system, btw, is Red Hat 7.3, Sendmail 8.12.11, Spamass-Milter 0.2.0, SA 3.0 
(but I also noticed questionable RBL hits with 2.64), and Net::DNS 0.46.

The SA system is configured to use our internal DNS server, which has the 
typical default settings, afaik.
I do see cached entries for the RBLs in my DNS system, but when I actually 
catch what I believe to be a misfire on an RBL check, I don't see a cache 
record for it in my DNS.

One other thing that may be worth mentioning is that all messages come into 
sendmail from localhost.  MessageWall listens on the wire as a proxy.  The only 
obvious issue I saw with this is that SPF doesn't work.

> Jeff C.
> -- 
> Jeff Chan
> mailto:[EMAIL PROTECTED]
> http://www.surbl.org/
> 
> 
From "Karl Wein" Tue Oct 12 09:55:51 2004
Microsoft Mail Internet Headers Version 2.0
Received: from blacksheep.riconcorp.com ([10.10.3.5]) by pnork.ricon.us with 
Microsoft SMTPSVC(6.0.3790.0);
 Tue, 12 Oct 2004 09:56:43 -0700
Received: from riconcorp.com (blacksheep.riconcorp.com [127.0.0.1])
by blacksheep.riconcorp.com (8.12.11/8.12.11) with ESMTP id 
i9CB3Iu1012753
for <[EMAIL PROTECTED]>; Tue, 12 Oct 2004 09:56:32 -0700
X-MessageWall-Score: 0 (riconcorp.com)
X-MessageWall-Warning: MIME/REJECT: body part contains disallowed string: 
text/html
Received: from [165.251.41.49] by riconcorp.com (MessageWall 1.0.8md) with 
SMTP; 12 Oct 2004 16:56:22 -
Received: from jcmwsc09.mwjc.easylink.com (mwsmout-vip-1.mwjc.easylink.com 
[165.251.41.105])
by jcmwsm02.mwjc.easylink.com (8.12.9/8.12.9) with ESMTP id 
i9CGuLiJ008577
for <[EMAIL PROTECTED]>; Tue, 12 Oct 2004 12:56:21 -0

Re: RBL Misfires?

2004-10-13 Thread Jeff Chan

On Tuesday, October 12, 2004, 10:28:06 AM, Nate Schindler wrote:
> Once in a while, I notice a hit for an RBL-related test that seems a little 
> off.  When I check for the existance of a record in the list, I can't find 
> one.  Below is a match SA 3 found in an e-mail
> from one of our dealers.  I thought it was curious that they were listed, so 
> I checked into it, and couldn't find this domain in surbl.  This isn't 
> limited to URIBL lists.  I've noticed misfires in
> most of the lists SA checks.  My Net::DNS is v0.46.

> *  1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist\n\t*   
>[URIs: vantagemobility.com]


> Any ideas?

> TIA,
> Nate

It would be useful if you could forward the messages that falsely
trigger on RBLs, along with name resolution results on the specific
RBL nearby in time, such as:

> % dig vantagemobility.com.ws.surbl.org
> 
> ; <<>> DiG 8.3 <<>> vantagemobility.com.ws.surbl.org
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
;; ->>>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50731
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;  vantagemobility.com.ws.surbl.org, type = A, class = IN
[...]

(and similar lookups on numeric RBLs like
dig 2.0.0.127.sbl.spamhaus.org)

There have been other sporadic reports of RBL misfires, which
leads me to wonder about the possibility of a rarely hit bug
somewhere in the RBL code.  Unfortunately this kind of thing
seems hard to debug given the dynamic nature of messages and
RBLs, but there are enough reports to make me wonder

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

RE: RBL Misfires?

2004-10-12 Thread Nate Schindler

> -Original Message-
> From: Kelson [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 12, 2004 10:57 AM
> To: users@spamassassin.apache.org
> Subject: Re: RBL Misfires?
> Most likely scenario:
> 
> 1. Someone erroneously reports the domain name to SURBL.
> 2. You receive and scan the message, which fires on URIBL_WS_SURBL.
> 3. Someone else realizes the listing is invalid, and it gets removed 
> from ws.surbl.org.
> 4. You read the message, wonder why the heck it triggered a 
> SURBL check, 
> and look it up.  Since it's already been removed, you don't find it.

This is a sound hypothesis, but I was actually watching the log at the time, 
and tried looking it up only moments after the test hit.
I looked at our internal DNS cache, and my ISPs DNS servers with dig.  Couldn't 
find it in any of those.

If nobody else has ever heard of DNS tests misfiring like this, or don't think 
this could be a real problem, I'll assume it was cached in DNS *somewhere*.

Thanks,

Nate

Re: RBL Misfires?

2004-10-12 Thread Kelson

Nate Schindler wrote:
Once in a while, I notice a hit for an RBL-related test that seems a 
little off.  When I check for the existance of a record in the list, I 
can't find one.  Below is a match SA 3 found in an e-mail from one of 
our dealers.  I thought it was curious that they were listed, so I 
checked into it, and couldn't find this domain in surbl.
Most likely scenario:
1. Someone erroneously reports the domain name to SURBL.
2. You receive and scan the message, which fires on URIBL_WS_SURBL.
3. Someone else realizes the listing is invalid, and it gets removed 
from ws.surbl.org.
4. You read the message, wonder why the heck it triggered a SURBL check, 
and look it up.  Since it's already been removed, you don't find it.

--
Kelson Vibber
SpeedGate Communications

Re: RBL Misfires?

2004-10-12 Thread Matt Kettler

At 01:28 PM 10/12/2004, Nate Schindler wrote:
Once in a while, I notice a hit for an RBL-related test that seems a 
little off.  When I check for the existance of a record in the list, I 
can't find one.  Below is a match SA 3 found in an e-mail from one of our 
dealers.  I thought it was curious that they were listed, so I checked 
into it, and couldn't find this domain in surbl.  This isn't limited to 
URIBL lists.  I've noticed misfires in most of the lists SA checks.  My 
Net::DNS is v0.46.

*  1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL 
blocklist\n\t*  [URIs: vantagemobility.com]

Any ideas?
If you re-run the message through SA 3.0 does it match the WS list?
There's a small chance it was listed in the WS blocklist, then quickly 
retracted after Will realized it was a mistaken listing. This kind of thing 
does happen, and all of the SURBL lists are highly dynamic, changing very 
rapidly.

RE: RBL Misfires?

Re: RBL Misfires?

RE: RBL Misfires?

Re: RBL Misfires?

Re: RBL Misfires?

5 matches

Site Navigation

Mail list logo

Footer information